Merge branch 'master' into spec/api-versioning

.dockerignore

@@ -12,4 +12,7 @@ devops
 cover-existing.html
 coverage-existing.txt
 report-existing.xml
-testlogs-existing.txt
+testlogs-existing.txt
+hack/generator
+hack/generated
+.git

.github/workflows/pr-validation.yml

@@ -17,8 +17,32 @@ jobs:
         with:
           submodules: 'true'
 
-      - name: Build devcontainer image
-        run: docker build --tag devcontainer:1.0 .devcontainer
+      - name: Docker cache
+        id: docker-cache
+        uses: actions/cache@v2
+        with:
+          path: docker-cache
+          key: ${{ runner.os }}-${{ hashFiles('.devcontainer/**') }}
+
+      - name: Build devcontainer image (uncached)
+        if: steps.docker-cache.outputs.cache-hit != 'true'
+        # If no cache-hit we will rebuild the image from scratch with buildx, which
+        # allows us to output a cache for reuse later.
+        #
+        # We output the cache to a new folder and then remove the old cache and copy the new one there
+        # so that the cache size does not keep growing.
+        run: |
+          mkdir -p docker-cache docker-cache-new
+          docker buildx create --use
+          docker buildx build --tag devcontainer:1.0 --cache-from=type=local,src=docker-cache --cache-to=type=local,dest=docker-cache-new --load .devcontainer
+          rm -rf docker-cache && mv docker-cache-new docker-cache
+
+      - name: Build devcontainer image (cached)
+        if: steps.docker-cache.outputs.cache-hit == 'true'
+        # If we have a cache hit we can instruct docker to load from the cache.
+        # We do not write to the cache as we had a hit, and it is very slow.
+        run: |
+          docker buildx build --tag devcontainer:1.0 --cache-from=type=local,src=docker-cache --load .devcontainer
 
       - name: Run CI tasks
         run: docker run -w /workspace -v $GITHUB_WORKSPACE:/workspace -e AZURE_TENANT_ID -e AZURE_CLIENT_ID -e AZURE_CLIENT_SECRET -e AZURE_SUBSCRIPTION_ID devcontainer:1.0 task ci

Makefile

@@ -57,11 +57,21 @@ generate-test-certs:
 .PHONY: test-integration-controllers
 test-integration-controllers: generate fmt vet manifests
 	TEST_RESOURCE_PREFIX=$(TEST_RESOURCE_PREFIX) TEST_USE_EXISTING_CLUSTER=false REQUEUE_AFTER=20 \
+	AZURE_TARGET_NAMESPACES=default,watched \
 	go test -v -tags "$(BUILD_TAGS)" -coverprofile=reports/integration-controllers-coverage-output.txt -coverpkg=./... -covermode count -parallel 4 -timeout 45m \
 		./controllers/... \
 		./pkg/secrets/...
 		# TODO: Note that the above test (secrets/keyvault) is not an integration-controller test... but it's not a unit test either and unfortunately the test-integration-managers target isn't run in CI either?
 
+# Check that when there are no target namespaces all namespaces are watched
+.PHONY: test-no-target-namespaces
+test-no-target-namespaces: generate fmt vet manifests
+	TEST_RESOURCE_PREFIX=$(TEST_RESOURCE_PREFIX) TEST_USE_EXISTING_CLUSTER=false REQUEUE_AFTER=20 \
+	AZURE_TARGET_NAMESPACES= \
+	go test -v -tags "$(BUILD_TAGS)" -coverprofile=reports/no-target-namespaces-coverage-output.txt -coverpkg=./... -covermode count -parallel 4 -timeout 45m \
+		-run TestTargetNamespaces \
+		./controllers/...
+
 # Run subset of tests with v1 secret naming enabled to ensure no regression in old secret naming
 .PHONY: test-v1-secret-naming
 test-v1-secret-naming: generate fmt vet manifests
@@ -208,7 +218,7 @@ helm-chart-manifests: generate
 
 # Generate manifests e.g. CRD, RBAC etc.
 .PHONY: manifests
-manifests: install-dependencies
+manifests: install-tools
 	$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./..." output:crd:artifacts:config=config/crd/bases
 	# update manifests to force preserveUnknownFields to false. We can't use controller-gen to set this to false because it has a bug...
 	# see: https://github.com/kubernetes-sigs/controller-tools/issues/476
@@ -242,11 +252,11 @@ generate-template:
 # TODO: These kind-delete / kind-create targets were stolen from k8s-infra and
 # TODO: should be merged back together when the projects more closely align
 .PHONY: kind-delete
-kind-delete: install-test-dependencies
+kind-delete: install-test-tools
 	kind delete cluster --name=$(KIND_CLUSTER_NAME) || true
 
 .PHONY: kind-create
-kind-create: install-test-dependencies
+kind-create: install-test-tools
 	kind get clusters | grep -E $(KIND_CLUSTER_NAME) > /dev/null;\
 	EXISTS=$$?;\
 	if [ $$EXISTS -eq 0 ]; then \
@@ -316,20 +326,28 @@ install-cert-manager:
 install-aad-pod-identity:
 	kubectl apply -f https://raw.githubusercontent.com/Azure/aad-pod-identity/master/deploy/infra/deployment-rbac.yaml
 
-.PHONY: install-test-dependencies
-install-test-dependencies: install-dependencies
-	go get github.com/jstemmer/go-junit-report \
+.PHONY: install-test-tools
+install-test-tools: TEST_TOOLS_MOD_DIR := $(shell mktemp -d -t goinstall_XXXXXXXXXX)
+install-test-tools: install-tools
+	cd $(TEST_TOOLS_MOD_DIR) \
+	&& go mod init fake/mod \
+	&& go get github.com/jstemmer/go-junit-report \
 	&& go get github.com/axw/gocov/gocov \
 	&& go get github.com/AlekSi/gocov-xml \
 	&& go get github.com/wadey/gocovmerge \
-	&& go get sigs.k8s.io/kind@v0.9.0 \
-
-.PHONY: install-dependencies
-install-dependencies:
-	go get github.com/mikefarah/yq/v4 \
+	&& go get sigs.k8s.io/kind@v0.9.0
+	rm -r $(TEST_TOOLS_MOD_DIR)
+
+.PHONY: install-tools
+install-tools: TEMP_DIR := $(shell mktemp -d -t goinstall_XXXXXXXXXX)
+install-tools:
+	cd $(TEMP_DIR) \
+	&& go mod init fake/mod \
+	&& go get github.com/mikefarah/yq/v4 \
 	&& go get k8s.io/code-generator/cmd/conversion-gen@v0.18.2 \
 	&& go get sigs.k8s.io/kustomize/kustomize/v3@v3.8.6 \
 	&& go get sigs.k8s.io/controller-tools/cmd/controller-gen@v0.4.0
+	rm -r $(TEMP_DIR)
     CONTROLLER_GEN=$(shell go env GOPATH)/bin/controller-gen
 
 # Operator-sdk release version

azure-pipelines.yml

@@ -100,7 +100,7 @@ steps:
         arch=$(go env GOARCH)
         go mod download
         make install-kubebuilder
-        make install-test-dependencies
+        make install-test-tools
         make generate-test-certs
       workingDirectory: '$(System.DefaultWorkingDirectory)'
 
@@ -156,6 +156,26 @@ steps:
       BUILD_ID: $(Build.BuildId)
     workingDirectory: '$(System.DefaultWorkingDirectory)'
 
+  # TODO: There is no way to run steps in parallel in Azure pipelines but ideally this step would run in parallel
+  # TODO: with the above testing step to reduce overall runtime
+  - script: |
+      set -e
+      export PATH=$PATH:$(go env GOPATH)/bin:$(go env GOPATH)/kubebuilder/bin
+      export KUBEBUILDER_ASSETS=$(go env GOPATH)/kubebuilder/bin
+      make test-no-target-namespaces
+    displayName: Run test for no target namespaces
+    condition: or(eq(variables['check_changes.SOURCE_CODE_CHANGED'], 'true'), eq(variables['Build.SourceBranch'], 'refs/heads/master'))
+    continueOnError: 'false'
+    env:
+      GO111MODULE: on
+      AZURE_SUBSCRIPTION_ID: $(AZURE_SUBSCRIPTION_ID)
+      AZURE_TENANT_ID: $(AZURE_TENANT_ID)
+      AZURE_CLIENT_ID: $(AZURE_CLIENT_ID)
+      AZURE_CLIENT_SECRET: $(AZURE_CLIENT_SECRET)
+      REQUEUE_AFTER: $(REQUEUE_AFTER)
+      BUILD_ID: $(Build.BuildId)
+    workingDirectory: '$(System.DefaultWorkingDirectory)'
+
   - script: |
       set -e
       export PATH=$PATH:$(go env GOPATH)/bin
@@ -318,7 +338,10 @@ steps:
         echo "Setting tags back to free"
         az resource tag --tags 'freeforpipeline=true' -g $(AKS_CLUSTER_RG) -n $(chosenclustername) --resource-type Microsoft.ContainerService/managedClusters
       workingDirectory: '$(System.DefaultWorkingDirectory)'
-      failOnStandardError: true
+      # Turn off this check until our aad-pod-identity dep is updated
+      # so that it's not trying to install v1beta1
+      # ClusterRoleBindings.
+      failOnStandardError: false
 
 
   - task: Docker@2

config/default/manager_image_patch.yaml

@@ -61,6 +61,12 @@ spec:
                 name: azureoperatorsettings
                 key: AZURE_SECRET_NAMING_VERSION
                 optional: true
+          - name: AZURE_TARGET_NAMESPACES
+            valueFrom:
+              secretKeyRef:
+                name: azureoperatorsettings
+                key: AZURE_TARGET_NAMESPACES
+                optional: true
           # Used along with aad-pod-identity integration, but set always
           # because it doesn't hurt
           - name: POD_NAMESPACE

controllers/suite_test.go

@@ -15,36 +15,39 @@ import (
 	"time"
 
 	"github.com/gobuffalo/envy"
-
-	"github.com/Azure/azure-service-operator/pkg/helpers"
-	resourcemanagersqldb "github.com/Azure/azure-service-operator/pkg/resourcemanager/azuresql/azuresqldb"
-	"github.com/Azure/azure-service-operator/pkg/resourcemanager/config"
-	mysqladmin "github.com/Azure/azure-service-operator/pkg/resourcemanager/mysql/aadadmin"
-	"github.com/Azure/azure-service-operator/pkg/resourcemanager/mysql/mysqlaaduser"
-
+	"k8s.io/client-go/kubernetes/scheme"
 	kscheme "k8s.io/client-go/kubernetes/scheme"
-
 	"k8s.io/client-go/rest"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/cache"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/envtest"
 
-	k8sSecrets "github.com/Azure/azure-service-operator/pkg/secrets/kube"
-
+	azurev1alpha1 "github.com/Azure/azure-service-operator/api/v1alpha1"
+	"github.com/Azure/azure-service-operator/api/v1alpha2"
+	"github.com/Azure/azure-service-operator/api/v1beta1"
+	"github.com/Azure/azure-service-operator/pkg/helpers"
 	resourcemanagerapimgmt "github.com/Azure/azure-service-operator/pkg/resourcemanager/apim/apimgmt"
 	resourcemanagerappinsights "github.com/Azure/azure-service-operator/pkg/resourcemanager/appinsights"
 	resourcemanagersqlaction "github.com/Azure/azure-service-operator/pkg/resourcemanager/azuresql/azuresqlaction"
+	resourcemanagersqldb "github.com/Azure/azure-service-operator/pkg/resourcemanager/azuresql/azuresqldb"
 	resourcemanagersqlfailovergroup "github.com/Azure/azure-service-operator/pkg/resourcemanager/azuresql/azuresqlfailovergroup"
 	resourcemanagersqlfirewallrule "github.com/Azure/azure-service-operator/pkg/resourcemanager/azuresql/azuresqlfirewallrule"
 	resourcemanagersqlmanageduser "github.com/Azure/azure-service-operator/pkg/resourcemanager/azuresql/azuresqlmanageduser"
 	resourcemanagersqlserver "github.com/Azure/azure-service-operator/pkg/resourcemanager/azuresql/azuresqlserver"
 	resourcemanagersqluser "github.com/Azure/azure-service-operator/pkg/resourcemanager/azuresql/azuresqluser"
 	resourcemanagersqlvnetrule "github.com/Azure/azure-service-operator/pkg/resourcemanager/azuresql/azuresqlvnetrule"
+	"github.com/Azure/azure-service-operator/pkg/resourcemanager/config"
 	resourcemanagerconfig "github.com/Azure/azure-service-operator/pkg/resourcemanager/config"
 	resourcemanagercosmosdbaccount "github.com/Azure/azure-service-operator/pkg/resourcemanager/cosmosdb/account"
 	resourcemanagercosmosdbsqldatabase "github.com/Azure/azure-service-operator/pkg/resourcemanager/cosmosdb/sqldatabase"
 	resourcemanagereventhub "github.com/Azure/azure-service-operator/pkg/resourcemanager/eventhubs"
 	resourcemanagerkeyvaults "github.com/Azure/azure-service-operator/pkg/resourcemanager/keyvaults"
 	"github.com/Azure/azure-service-operator/pkg/resourcemanager/loadbalancer"
+	mysqladmin "github.com/Azure/azure-service-operator/pkg/resourcemanager/mysql/aadadmin"
 	mysqlDatabaseManager "github.com/Azure/azure-service-operator/pkg/resourcemanager/mysql/database"
 	mysqlFirewallManager "github.com/Azure/azure-service-operator/pkg/resourcemanager/mysql/firewallrule"
+	"github.com/Azure/azure-service-operator/pkg/resourcemanager/mysql/mysqlaaduser"
 	mysqluser "github.com/Azure/azure-service-operator/pkg/resourcemanager/mysql/mysqluser"
 	mysqlServerManager "github.com/Azure/azure-service-operator/pkg/resourcemanager/mysql/server"
 	mysqlvnetrule "github.com/Azure/azure-service-operator/pkg/resourcemanager/mysql/vnetrule"
@@ -64,16 +67,8 @@ import (
 	"github.com/Azure/azure-service-operator/pkg/resourcemanager/vmext"
 	"github.com/Azure/azure-service-operator/pkg/resourcemanager/vmss"
 	resourcemanagervnet "github.com/Azure/azure-service-operator/pkg/resourcemanager/vnet"
+	k8sSecrets "github.com/Azure/azure-service-operator/pkg/secrets/kube"
 	telemetry "github.com/Azure/azure-service-operator/pkg/telemetry"
-
-	"k8s.io/client-go/kubernetes/scheme"
-	ctrl "sigs.k8s.io/controller-runtime"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/envtest"
-
-	azurev1alpha1 "github.com/Azure/azure-service-operator/api/v1alpha1"
-	"github.com/Azure/azure-service-operator/api/v1alpha2"
-	"github.com/Azure/azure-service-operator/api/v1beta1"
 	// +kubebuilder:scaffold:imports
 )
 
@@ -154,11 +149,19 @@ func setup() error {
 
 	var k8sManager ctrl.Manager
 
+	targetNamespaces := resourcemanagerconfig.TargetNamespaces()
+	var cacheFunc cache.NewCacheFunc
+	if targetNamespaces != nil {
+		log.Println("Restricting operator cache to namespaces", targetNamespaces)
+		cacheFunc = cache.MultiNamespacedCacheBuilder(targetNamespaces)
+	}
+
 	// +kubebuilder:scaffold:scheme
 	k8sManager, err = ctrl.NewManager(cfg, ctrl.Options{
-		Scheme:  scheme.Scheme,
-		CertDir: testEnv.WebhookInstallOptions.LocalServingCertDir,
-		Port:    testEnv.WebhookInstallOptions.LocalServingPort,
+		Scheme:   scheme.Scheme,
+		CertDir:  testEnv.WebhookInstallOptions.LocalServingCertDir,
+		Port:     testEnv.WebhookInstallOptions.LocalServingPort,
+		NewCache: cacheFunc,
 	})
 	if err != nil {
 		return err
@@ -935,7 +938,7 @@ func setup() error {
 	if result.Response.StatusCode != 204 {
 		_, err = resourceGroupManager.CreateGroup(context.Background(), resourceGroupName, resourceGroupLocation)
 		if err != nil {
-			return fmt.Errorf("ResourceGroup creation failed")
+			return fmt.Errorf("ResourceGroup creation failed: %v", err)
 		}
 	}